Forwarding DNS requests from unmanaged interface to https-dns-proxy

I have an unmanaged interface that I use for tailscale. This interface is assigned its own firewall zone:

/etc/config/network
config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'
/etc/config/firewall
config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'tailscale'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

I want to forward DNS requests from this interface to https-dns-proxy. I have tried simply adding the interface to an existing dnsmasq instance (see below for config), but it doesn't seem to work.

/etc/config/dhcp
config dnsmasq 'main_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option noresolv '1'
	option ednspacket_max '1232'
	list notinterface 'loopback'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5053'
	list interface 'guest'
	list interface 'lan'
        list interface tailscale

Is anybody able to advise what I'm missing here?

Thank you.

If you remove all interfaces DNSmasq will listen on all interfaces but you can keep it the way it is.

Try with disabling option localservice: option localservice '0'

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#providing_dns_for_non-local_networks

Thank you.

The reason I have explicitly listed interfaces under the dnsmasq instance, is that I have multiple dnsmasq instances, which forward to different HTTPS DNS Proxy Instances (e.g. I have a 'famliy safe' resolver).

I have added option localservice '0', but the result is still the same when using my OpenWrt as an exit node: connected tailscale clients are still using a different DNS resolver to the one I expect.

Your tailscale clients will not automatically use your routers address as DNS server.
On the client side you have to point your client to exclusively use your router as DNS server

Understood.

So in my tailscale DNS settings, I should set the Global DNS server be the (private) IP address of my router? E.g. 192.168.1.1?